Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-9158

OpenShift Gitops Operator v1.19.2 has hardcoded pod-security labels which conflict OCP <= 4.16

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description of Problem

      • OpenShift-Gitops-Operator reconciles namespace labels of the openshift-gitops namespace which conflict EUS releases of OCP (4.12, 4.14. 4.16)

      Additional Info

      Problem Reproduction

      • OpenShift 4.16.55
      • Deploy OpenShift-Gitops in version 1.19.2
      • watch the operator pod logs on continously reconciling the namespace for the Gitops Service

      Reproducibility

      • Always

      Prerequisites/Environment

      • OpenShift 4.12, 4.14, 4.16

      Steps to Reproduce

      • as above

      Expected Results

      • no reconciliation
      • The amount of logs created are creating high costs in Log storage (external Tools like dynatrace)

      Actual Results

      • reconciliation loop

      Problem Analysis

      • The OpenShift-Gitops-Operator hardcode reconciles namespace labels
        pod-security.kubernetes.io/audit-version=latest
        pod-security.kubernetes.io/warn-version=latest
        pod-security.kubernetes.io/enforce-version=latest
      • OpenShift <= 4.16 enforce API based version
        pod-security.kubernetes.io/audit-version=v1.24
        pod-security.kubernetes.io/warn-version=v1.24
        pod-security.kubernetes.io/enforce-version=v1.24

      Root Cause

      • missed QE due to log creation is silent 

      Workaround (If Possible)

      • scale the Operator to 0 which is not a good mitigation

      Fix Approaches

      • if possible consider existing labels instead of hardcode enforcing some

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rh-ee-sghadi Siddhesh Ghadi
              rhn-support-milang Michaela Lang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: